UK Water Company Allowed Hackers to Lurk Undetected for Nearly Two Years, Regulator Finds
The UK ICO fined South Staffordshire Water £963,900 for a Cl0p ransomware breach that exposed data of 633,887 customers, with attackers undetected for nearly two years.
The UK Information Commissioner's Office (ICO) has fined South Staffordshire Water £963,900 ($1.3 million) for a Cl0p ransomware attack that exposed the personal data of 633,887 customers and employees. The breach, which came to light in August 2022, saw attackers lurk undetected in the company's network for nearly two years after initial access was gained in September 2020 via a malicious email attachment.
The attackers exploited a domain administrator account and the ZeroLogon vulnerability (CVE-2020-1472) on unpatched domain controllers to move laterally and escalate privileges. The ICO's investigation revealed that the company failed to implement the principle of least privilege, allowing the threat actor to roam freely. Additionally, an outsourced security operations center monitored only 5% of the IT environment as of December 2021, and no vulnerability scans were conducted between September 2020 and May 2022.
The breach resulted in the publication of 4.1 terabytes of data on the dark web, including names, addresses, bank account details, and National Insurance numbers. The company only discovered the intrusion in July 2022 after IT performance issues prompted an internal investigation, followed by the discovery of a ransom note. The ICO's Interim Executive Director for Regulatory Supervision, Ian Hulme, stated, "Waiting for performance issues or a ransom note to discover a breach is not acceptable."
The incident highlights systemic security failures in critical infrastructure. South Staffordshire Water, which supplies drinking water to 1.6 million people, had devices running Windows Server 2003, an operating system whose extended support ended in 2015. The Cl0p group initially claimed to have breached Thames Water, but the ICO's penalty notice focuses solely on South Staffordshire. No compromise of operational technology or water treatment systems was found.
The fine was reduced due to the company's cooperation and early admission of liability, with a further discretionary reduction applied. South Staffordshire entered a voluntary settlement and agreed not to appeal. The breach underscores the growing cyber threat to UK water suppliers, with five incidents reported to the Drinking Water Inspectorate between January 2024 and October 2025 — a record number.
The UK government's Cyber Security and Resilience Bill, which aims to expand mandatory reporting requirements and improve security standards for critical infrastructure, is expected to be introduced to Parliament this year. This case serves as a stark reminder that proactive security is a legal requirement, not an optional extra, especially for entities responsible for essential services.